From 2b6da59a0a5192fe957b1f0346261284cab9dac0 Mon Sep 17 00:00:00 2001
From: JHartman5 <justin@boxcast.com>
Date: Tue, 12 Nov 2024 13:27:36 -0500
Subject: [PATCH] feat(publisher-s3): allow ACL omission (#3728)

* feat(publisher-s3): allow ACL omission

This allows the caller to omit the ACL from the upload request, per
Amazon's recommendation of using bucket owner-enforced permissions.

* Update packages/publisher/s3/src/Config.ts

Updates the documentation for the `omitAcl` option per the pull request review

Co-authored-by: Felix Rieseberg <fr@makenotion.com>

---------

Co-authored-by: Felix Rieseberg <fr@makenotion.com>
---
 packages/publisher/s3/src/Config.ts      |  6 ++++++
 packages/publisher/s3/src/PublisherS3.ts | 17 ++++++++++-------
 2 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/packages/publisher/s3/src/Config.ts b/packages/publisher/s3/src/Config.ts
index 0ff4d02c96..52abd50a30 100644
--- a/packages/publisher/s3/src/Config.ts
+++ b/packages/publisher/s3/src/Config.ts
@@ -38,6 +38,12 @@ export interface PublisherS3Config {
    * Default: false
    */
   public?: boolean;
+  /**
+   * Whether to omit the ACL when creating the S3 object. If set, `public` will have no effect.
+   *
+   * Default: false
+   */
+  omitAcl?: boolean;
   /**
    * The endpoint URI to send requests to.
    *
diff --git a/packages/publisher/s3/src/PublisherS3.ts b/packages/publisher/s3/src/PublisherS3.ts
index d7a05be60f..d76764866f 100644
--- a/packages/publisher/s3/src/PublisherS3.ts
+++ b/packages/publisher/s3/src/PublisherS3.ts
@@ -1,7 +1,7 @@
 import fs from 'fs';
 import path from 'path';
 
-import { S3Client } from '@aws-sdk/client-s3';
+import { PutObjectCommandInput, S3Client } from '@aws-sdk/client-s3';
 import { Progress, Upload } from '@aws-sdk/lib-storage';
 import { Credentials } from '@aws-sdk/types';
 import { PublisherOptions, PublisherStatic } from '@electron-forge/publisher-static';
@@ -59,15 +59,18 @@ export default class PublisherS3 extends PublisherStatic<PublisherS3Config> {
     await Promise.all(
       artifacts.map(async (artifact) => {
         d('uploading:', artifact.path);
+        const params: PutObjectCommandInput = {
+          Body: fs.createReadStream(artifact.path),
+          Bucket: this.config.bucket,
+          Key: this.keyForArtifact(artifact),
+        };
+        if (!this.config.omitAcl) {
+          params.ACL = this.config.public ? 'public-read' : 'private';
+        }
         const uploader = new Upload({
           client: s3Client,
           leavePartsOnError: true,
-          params: {
-            Body: fs.createReadStream(artifact.path),
-            Bucket: this.config.bucket,
-            Key: this.keyForArtifact(artifact),
-            ACL: this.config.public ? 'public-read' : 'private',
-          },
+          params,
         });
 
         uploader.on('httpUploadProgress', (progress: Progress) => {